Add optimised gnutls cipher string to SSL cookbook and use it for exim

author Tom Hughes <tom@compton.nu>

Fri, 5 Oct 2018 15:09:20 +0000 (16:09 +0100)

committer Tom Hughes <tom@compton.nu>

Fri, 5 Oct 2018 15:38:35 +0000 (16:38 +0100)
author Tom Hughes <tom@compton.nu>
Fri, 5 Oct 2018 15:09:20 +0000 (16:09 +0100)
committer Tom Hughes <tom@compton.nu>
Fri, 5 Oct 2018 15:38:35 +0000 (16:38 +0100)
diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml

index 02bdf670183366174f407edd586b69259d1aa9c6..c0e6c97babfa71a799c46a6c14fa12f2d41fa6b2 100644 (file)
--- a/.rubocop_todo.yml
+++ b/.rubocop_todo.yml
@@ -23,7 +23,7 @@ Metrics/CyclomaticComplexity:
  # Configuration parameters: AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives.
  # URISchemes: http, https
  Metrics/LineLength:
-  Max: 696
+  Max: 704
  
  # Offense count: 24
  # Configuration parameters: CountComments.
diff --git a/cookbooks/apache/templates/default/ssl.erb b/cookbooks/apache/templates/default/ssl.erb

index ffbbcbb5e7259e0ec5fbb48b8932a867048348ac..9f20fb63274d6d30f269a68a13823698a5f4bbbf 100644 (file)
--- a/cookbooks/apache/templates/default/ssl.erb
+++ b/cookbooks/apache/templates/default/ssl.erb
@@ -3,7 +3,7 @@
  SSLProtocol All -SSLv2 -SSLv3
  
  SSLHonorCipherOrder On
-SSLCipherSuite <%= node[:ssl][:ciphers] %>
+SSLCipherSuite <%= node[:ssl][:openssl_ciphers] %>
  <% if node[:lsb][:release].to_f < 16.04 -%>
  
  SSLCertificateChainFile /etc/ssl/certs/letsencrypt.pem
diff --git a/cookbooks/exim/metadata.rb b/cookbooks/exim/metadata.rb

index eb25776e1ace635c450434c49babc7ea01cec59d..19ab6af9d4a0304b9fa13317d9ec232bc60af5e9 100644 (file)
--- a/cookbooks/exim/metadata.rb
+++ b/cookbooks/exim/metadata.rb
@@ -7,3 +7,4 @@ long_description  IO.read(File.join(File.dirname(__FILE__), "README.md"))
  version           "1.0.0"
  supports          "ubuntu"
  depends           "networking"
+depends           "ssl"
diff --git a/cookbooks/exim/templates/default/exim4.conf.erb b/cookbooks/exim/templates/default/exim4.conf.erb

index e0224872e5373bcf5802273c2a3bd2ddae495d04..f541cec1765d60be1fbc7fc137ca6c927762dd8b 100644 (file)
--- a/cookbooks/exim/templates/default/exim4.conf.erb
+++ b/cookbooks/exim/templates/default/exim4.conf.erb
@@ -148,7 +148,7 @@ tls_advertise_hosts = <; !127.0.0.1 ; !::1
  
  # Configured TLS cipher selection.
  
-tls_require_ciphers = NORMAL:-VERS-SSL3.0:-CIPHER-ALL:-SHA1:-MD5:+SHA1:+AES-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-GCM:+AES-128-CBC:+CAMELLIA-128-CBC:%SERVER_PRECEDENCE
+tls_require_ciphers = <%= node[:ssl][:gnutls_ciphers] %>:%SERVER_PRECEDENCE
  
  # Specify the location of the Exim server's TLS certificate and private key.
  # The private key must not be encrypted (password protected). You can put
@@ -662,7 +662,7 @@ begin transports
  remote_smtp:
    driver = smtp
    multi_domain = false
-  tls_require_ciphers = NORMAL:-VERS-SSL3.0:-CIPHER-ALL:-SHA1:-MD5:+SHA1:+AES-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-GCM:+AES-128-CBC:+CAMELLIA-128-CBC:%SERVER_PRECEDENCE
+  tls_require_ciphers = <%= node[:ssl][:gnutls_ciphers] %>:%LATEST_RECORD_VERSION
  
  
  # This transport is used for handling pipe deliveries generated by alias or
diff --git a/cookbooks/nginx/templates/default/nginx.conf.erb b/cookbooks/nginx/templates/default/nginx.conf.erb

index 429716d04150bfce44404c1f6f12084b93d7de8d..77820eb91fe374f89cee1ecae9f3fef196c87cac 100644 (file)
--- a/cookbooks/nginx/templates/default/nginx.conf.erb
+++ b/cookbooks/nginx/templates/default/nginx.conf.erb
@@ -34,7 +34,7 @@ http {
      server_tokens off;
  
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers <%= node[:ssl][:ciphers] -%>;
+    ssl_ciphers <%= node[:ssl][:openssl_ciphers] -%>;
      ssl_prefer_server_ciphers on;
      ssl_session_cache shared:SSL:50m;
      ssl_session_timeout 30m;
diff --git a/cookbooks/ssl/attributes/default.rb b/cookbooks/ssl/attributes/default.rb

index 614e0bda9ada95e0527d6803cb7b746aaced8dcb..e990eed724546c477aa294de7cb1fb606f54c17f 100644 (file)
--- a/cookbooks/ssl/attributes/default.rb
+++ b/cookbooks/ssl/attributes/default.rb
@@ -1,2 +1,7 @@
-default[:ssl][:ciphers] = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
+default[:ssl][:openssl_ciphers] = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
+default[:ssl][:gnutls_ciphers] = if node[:lsb][:release].to_f >= 18.04
+                                   "NONE:+AEAD:+SHA256:+SHA1:+SHA384:+SHA512:+CURVE-X25519:+CURVE-SECP256R1:+CURVE-SECP384R1:+CURVE-SECP521R1:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-DSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:-SIGN-DSA-SHA384:-SIGN-DSA-SHA512:+AES-256-GCM:+AES-256-CCM:+CHACHA20-POLY1305:+CAMELLIA-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-GCM:+AES-128-CCM:+CAMELLIA-128-GCM:+AES-128-CBC:+CAMELLIA-128-CBC:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-DTLS1.2:+VERS-DTLS1.0:+COMP-NULL:%PROFILE_LOW"
+                                 else
+                                   "NONE:+AEAD:+SHA256:+SHA1:+SHA384:+SHA512:+CURVE-SECP256R1:+CURVE-SECP384R1:+CURVE-SECP521R1:+SIGN-ALL:-SIGN-RSA-MD5:-SIGN-DSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256:+AES-256-GCM:+CAMELLIA-256-GCM:+AES-256-CBC:+CAMELLIA-256-CBC:+AES-128-GCM:+CAMELLIA-128-GCM:+AES-128-CBC:+CAMELLIA-128-CBC:+ECDHE-RSA:+ECDHE-ECDSA:+RSA:+DHE-RSA:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+VERS-DTLS1.2:+VERS-DTLS1.0:+COMP-NULL"
+                                 end
  default[:ssl][:strict_transport_security] = "max-age=31536000; includeSubDomains; preload"
author	Tom Hughes <tom@compton.nu>
	Fri, 5 Oct 2018 15:09:20 +0000 (16:09 +0100)
committer	Tom Hughes <tom@compton.nu>
	Fri, 5 Oct 2018 15:38:35 +0000 (16:38 +0100)
.rubocop_todo.yml		patch \| blob \| history
cookbooks/apache/templates/default/ssl.erb		patch \| blob \| history
cookbooks/exim/metadata.rb		patch \| blob \| history
cookbooks/exim/templates/default/exim4.conf.erb		patch \| blob \| history
cookbooks/nginx/templates/default/nginx.conf.erb		patch \| blob \| history
cookbooks/ssl/attributes/default.rb		patch \| blob \| history